The views expressed by contributors are their own and not the view of The Hill

Hacker conference proves how weak US voting machines really are

by Michael DeLaGarza, opinion contributor - 08/19/17 7:00 AM ET

In January, Secretary of Homeland Security Jeh Johnson announced: “Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law.”

With this one statement, the nation’s election infrastructure was firmly placed for the first time on equal footing with other parts of America’s critical infrastructure such as emergency services, nuclear reactors, and water systems. While this was a welcome designation, events that unfolded in late July demonstrated just how vulnerable this infrastructure really is.

With the ongoing controversy surrounding the integrity of our nation’s voting systems, hackers at the 25th annual DEF CON computer security conference held late last month in Las Vegas were given an unprecedented opportunity to find and exploit possible vulnerabilities in a variety of different voting systems supplied by organizers of the show.

Election company exposes voting data for 1.8 million Chicago voters online https://t.co/uh4e0aGycs pic.twitter.com/vDl4iUnzfC

— The Hill (@thehill) August 18, 2017

These machines, from leading vendors such as Diebold, Sequoia, and Winvote, have been commonly used in previous elections held throughout the country. The results were not encouraging. Of the 30 voting machines that were used for this demonstration, every single system was shown to have vulnerabilities — and some of these machines were hacked in about half an hour.

{mosads}How is this possible? In some cases, these machines were running very outdated software that was easily exploitable. In other cases, some had physical USB ports that could be readily accessed to install malicious software. Other systems were compromised wirelessly by exploiting weaknesses in the Wi-Fi connectivity built-in to the system.

While these results were alarming, it was not entirely surprising to security experts. There is a growing consensus within the security community that it is not a question of “if” a computer or electronic device can be hacked, it is simply a question of “when.” Voting machines are especially vulnerable since much of the technology underpinning these machines are more than 20 years old in some cases.

This leads to the logical question of what to do next. I would suggest a two-step approach. Step one would be a simple acknowledgement that hacking of these machines is an inevitability. This sounds counterintuitive but by making this simple statement, it then becomes possible to foster a different way of thinking about how to approach the problem. This doesn’t mean that vendors and government officials shouldn’t try and prevent these hacks through improved security policies and protocols; it simply means that we won’t assume these techniques will be foolproof.

Watch hackers try to break into 30 voting machines at @Defcon. pic.twitter.com/2aMKvwahtG

— CNET (@CNET) July 29, 2017

Step two then involves focusing efforts around mitigating the impact of the inevitable breach. For starters, the application of standard security recommendations for any piece of electronic equipment — updating software, applying patches, using multi-factor authentication, etc. — is certainly necessary. However, for voting systems being treated as critical infrastructure, these tactics alone are not sufficient. For voting systems, what is also needed is the creation of a last layer of defense that will protect both voter information and the votes themselves from the inevitable hack.

To achieve this, voting machine vendors should be ubiquitously employing an advanced data protection and encryption model that will protect all sensitive voter information — both while it is stored on databases and/or voting machines and while this same information is being sent to and from these systems. For example, my company, CipherLoc Corporation offers data protection solution for “data-at-rest” and “data-in-motion.”

While it is impossible to ever fully make a system “hacker-proof,” it is possible to safeguard data by rendering it unusable to an attacker. While this will require the cooperation of both government officials and the vendors themselves, it is a very small price to pay to ensure the integrity of our elections — both now and in the future.